subject:"\[Mailman\-Users\] Critical security update for Mailman 2.1.5 and earlier"

Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

2005-02-11 Thread Axel Beckert

Hi!

Am Fri, Feb 11, 2005 at 10:06:55AM +0900, Tokio Kikuchi schrieb:
 Python 1 (respective at least 1.5.2) complains about syntax
 errors. (Which, in fact, also helps against the vulnerability by
 displaying the You've found a Mailman bug page. ;-)
 
 Change the true_path function as:
 
 def true_path(path):
 Ensure that the path is safe by removing ..
 import re
 path = re.sub('\.+/+', '', path)
 return path[1:]
 
 and try.

Perfect. Thanks! And I've even learned a little bit more Python today. :-)

 Sorry but I have no 2.0.x around

Probably doesn't matter. The function is exactly the same as in 2.1.5.

 but only found a machine which have working Python 1.x installed.

Thanks for searching.

Kind regards, Axel Beckert
-- 
-
Axel Beckert  ecos electronic communication services gmbh
it security solutions * web applications with apache and perl

Mail:   Tulpenstrasse 5   D-55276 Dienheim near Mainz
E-Mail: [EMAIL PROTECTED]   Voice: +49 6133 939-220
WWW:http://www.ecos.de/   Fax:   +49 6133 939-333
-
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

2005-02-10 Thread Barry Warsaw

There is a critical security flaw in Mailman 2.1.5 and earlier Mailman
2.1 versions which can allow remote attackers to gain access to member
passwords under certain conditions.  The extent of the vulnerability
depends on what version of Apache you are running, and (possibly) how
you have configured your web server.  However, the flaw is in Mailman
and has been fix in CVS and will be included in the Mailman 2.1.6
release.

This issue has been assigned CVE number CAN-2005-0202.

We currently believe that Apache 2.0 sites are not vulnerable, and that
many if not most Apache 1.3 sites are.  In any event, the safest
approach is to assume the worst and take the remediation steps indicated
below as soon as possible.

The quickest fix is to remove the /usr/local/mailman/cgi-bin/private
executable.  This will disable all access to all private archives on
your system.  While this is the quickest and easiest way to close the
hole, it will also break all your private archives.  If all the lists on
your site only run public archives, this won't matter to you.

Until Mailman 2.1.6 is released, the longer term fix is to apply this
patch:

http://www.list.org/CAN-2005-0202.txt

For additional piece of mind, it is recommended that you regenerate your
member passwords.  Instructions on how to do this, and more information
about this vulnerability are available here:

http://www.list.org/security.html

My thanks to Tokio Kikuchi, Mark J Cox, and the folks on vendor-sec. 
This issue was found by Marcus Meissner.

-Barry



signature.asc
Description: This is a digitally signed message part
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

2005-02-10 Thread AJ

Can this be applied to any 2.1 release?
I am running 2.1 at the moment.

Thanks.

 Until Mailman 2.1.6 is released, the longer term fix is to apply this
 patch:

   http://www.list.org/CAN-2005-0202.txt

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

2005-02-10 Thread Ralf Hildebrandt

* AJ [EMAIL PROTECTED]:
 Can this be applied to any 2.1 release?
 I am running 2.1 at the moment.

The patch is very small, so I'd think yes.
-- 
Ralf Hildebrandt (i.A. des IT-Zentrum)  [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-450 570-962
IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

2005-02-10 Thread AJ

OK, thanks.  With no modifications it did not apply, but I can probably get it
to work.  It shouldn't cause any issues w/ 2.1 should it?
Thanks.
Quoting Ralf Hildebrandt [EMAIL PROTECTED]:
* AJ [EMAIL PROTECTED]:
Can this be applied to any 2.1 release?
I am running 2.1 at the moment.
The patch is very small, so I'd think yes.
--

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

2005-02-10 Thread John Dennis

To answer a few recent questions.

To the best of my knowledge the patch is safe for any version of mailman
that contains the function true_path in private.py.

You will not see a new .pyc or .pyo file generated until the script is
executed for the first time after the change. In other words until
someone logs into a private archive for the first time. If you're really
concerned about the old .pyc or .pyo files you can manually remove them.

-- 
John Dennis [EMAIL PROTECTED]

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

[Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

Re: [Mailman-Users] Critical security update for Mailman 2.1.5 and earlier

6 matches

Site Navigation

Mail list logo

Footer information